Endpoint Security Guide: EDR, MDM, and Zero Trust for Devices
A practical guide to endpoint security — EDR capabilities, MDM enrollment, device compliance policies, BYOD risks, and applying zero trust principles to devices.
Endpoint Security Guide: EDR, MDM, and Zero Trust for Devices
Every laptop, desktop, and mobile device that accesses your corporate applications is a potential entry point. The endpoint is where phishing succeeds, where malware executes, and where credentials are harvested. Endpoint security is the collection of controls that reduce the probability of compromise, detect compromise when it occurs, and limit the damage from a compromised device.
Modern endpoint security has three pillars: EDR for threat detection and response, MDM for device management and compliance, and zero trust principles that make device trust a dynamic, continuous assessment rather than a binary "on the VPN" decision.
Endpoint Detection and Response (EDR)
EDR platforms collect comprehensive telemetry from endpoints — every process execution, file creation, registry modification, network connection, and DNS query — and use behavioral analytics, machine learning, and threat intelligence to detect malicious activity.
What EDR gives you that traditional AV does not:
| Capability | Traditional AV | EDR |
|---|---|---|
| Signature detection | Yes | Yes |
| Behavioral detection | Limited | Yes |
| Memory inspection | No | Yes |
| Process tree visibility | No | Yes |
| Lateral movement detection | No | Yes |
| Threat hunting | No | Yes |
| Incident investigation | Minimal | Comprehensive |
| Response actions (kill, isolate) | No | Yes |
Key EDR vendors:
- CrowdStrike Falcon — Cloud-native, agent-based, industry-leading threat intelligence via Falcon X. Single agent for EPP + EDR + MDR.
- SentinelOne Singularity — Autonomous AI response, strong rollback capability for ransomware, unified platform for endpoints + cloud + identity.
- Microsoft Defender for Endpoint — Deep integration with the Microsoft 365 ecosystem, excellent value for Microsoft-centric organizations, included in M365 E5.
- Palo Alto Cortex XDR — Strong cross-telemetry correlation (endpoint + network + cloud), well-suited for organizations with Palo Alto infrastructure.
EDR alert triage:
Most EDR platforms generate a stream of alerts, not all of which require immediate action. A typical tier model:
- Critical: Confirmed malware execution, ransomware activity, credential dumping. Auto-isolate the endpoint and page on-call.
- High: Suspicious PowerShell execution, lateral movement indicators, privilege escalation. Alert to SOC within 1 hour.
- Medium: Potentially unwanted application, policy violation, anomalous but not confirmed malicious. Analyst review within 4 hours.
- Informational: Enrichment data, threat hunting leads. Batch review daily.
Threat hunting with EDR telemetry:
EDR platforms provide query interfaces (CrowdStrike OverWatch, SentinelOne Deep Visibility, Microsoft Advanced Hunting) to proactively search for indicators of compromise.
Microsoft Advanced Hunting (KQL):
// Find processes spawned by Office applications (potential macro execution)
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("WINWORD.exe", "EXCEL.exe", "POWERPNT.exe")
and FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
Mobile Device Management (MDM)
MDM provides centralized management of corporate devices and enforces security policies that are prerequisites for access to corporate resources.
MDM platforms:
- Microsoft Intune — Deeply integrated with Entra ID and Microsoft 365. Best choice for Microsoft-centric environments. Supports Windows, macOS, iOS, Android.
- Jamf Pro — Best-in-class for Apple device management. The default choice for Mac-heavy engineering organizations.
- VMware Workspace ONE — Strong for diverse device fleets, VDI integration.
- Google Endpoint Management — Adequate for Android and ChromeOS; lighter on iOS/macOS management depth.
Baseline device compliance policies:
{
"deviceCompliancePolicy": {
"osVersion": {
"minimumVersion": "macOS 14.0",
"requireLatestSecurityPatch": true
},
"security": {
"requireDeviceEncryption": true,
"requireFirewallEnabled": true,
"requireGatekeeperEnabled": true,
"requirePasswordEnabled": true,
"minimumPasswordLength": 8,
"requirePasswordComplexity": "alphanumeric",
"passwordExpirationDays": 365,
"maximumPasswordAge": 365
},
"securitySoftware": {
"requireAntivirusEnabled": true,
"requireAntivirusUpToDate": true
},
"systemIntegrity": {
"requireSipEnabled": true,
"blockJailbrokenDevices": true
}
}
}
Integrating MDM compliance with Conditional Access:
The most powerful MDM deployment integrates compliance signals with identity provider Conditional Access policies. A device that fails compliance checks (disk not encrypted, EDR not installed, OS out of date) is blocked from accessing corporate applications — not just flagged.
Entra ID Conditional Access:
IF user accesses [Microsoft 365, internal apps]
REQUIRE device marked as compliant in Intune
REQUIRE device is Azure AD joined or Hybrid AD joined
REQUIRE MFA
IF not compliant → redirect to self-remediation portal
BYOD (Bring Your Own Device) Risks
BYOD programs reduce hardware costs but introduce security challenges that are often underestimated.
Core tensions:
- Employee privacy vs. corporate security (can you install EDR on a personal device?)
- Corporate data isolation vs. seamless work experience
- Employee agreement to MDM enrollment vs. full MDM control
Approaches:
Full MDM enrollment: The corporate profile on the device is fully managed. The employer can remote wipe the device (some MDMs support selective wipe of only corporate data). Appropriate for corporate-owned devices.
MAM (Mobile Application Management) without MDM: Corporate apps (email, Slack, Teams) are individually managed via an SDK in the application. Corporate data is encrypted within managed apps and cannot be shared to unmanaged apps. The corporate IT does not control the OS or other apps. More employee-privacy-friendly but limited visibility.
VDI/Virtual Desktop: Corporate work happens in a virtual desktop that runs in the cloud. The BYOD device is just a display terminal — no corporate data ever lives on the device. Maximum isolation, maximum friction.
Containerization: Apps like Microsoft Outlook and Teams use containerized storage — corporate emails and files are stored in an encrypted container the employer controls. Separate from the personal device storage.
BYOD policy considerations:
- Clearly document what the employer can and cannot see/control
- Define what happens at offboarding (selective wipe of corporate container)
- Define minimum OS version and security requirements as a condition of access
- Provide a path for employees who do not want MDM on personal devices (option to use company-provided device or VDI)
Zero Trust Device Principles
Zero trust treats device trust as dynamic and continuous, not binary.
Traditional: "Is the device on the corporate VPN? Yes → trust everything." Zero trust: "What is the device's current security posture? Is the user's identity verified? Does the requested resource match the user's role? Grant access to this specific resource for this session only."
Device trust signals in a zero trust model:
- Is the device managed by corporate MDM?
- Is the device compliant (encrypted, patched, EDR installed, screen lock enabled)?
- Is the device joining from an expected network or location?
- Does the device have a valid certificate issued by the corporate CA?
- Is the EDR agent showing any active alerts for this device?
- When was the device last seen? (A device that hasn't connected in 30 days may have been decommissioned or stolen)
Implementing device trust with Conditional Access (Entra ID + Intune):
Policy: "Require compliant device for high-risk applications"
Conditions:
Users: All
Cloud apps: Salesforce, GitHub Enterprise, Production AWS Console
Device state: Device marked as NOT compliant in Intune
Action: Block access
Show message: "Your device does not meet security requirements. Visit aka.ms/devicesetup to fix."
Certificate-based device authentication:
Issue certificates from a corporate CA to managed devices. Require client certificates for access to internal applications. A device without a valid corporate certificate cannot connect, even with valid user credentials.
# Generate device certificate via Intune SCEP profile
# Certificate is bound to device identity, not user identity
# Even if user credentials are phished, attacker cannot authenticate
# without also having the device certificate
Continuous assessment:
Re-evaluate device compliance at each new resource access request, not just at initial login. A device that was compliant at 9 AM but had EDR disabled at 11 AM should have its access re-evaluated at 11 AM.
This is the direction cloud identity providers are moving — Microsoft's Continuous Access Evaluation (CAE) and Google's Context-Aware Access both provide mechanisms for near-real-time revocation based on changing device or user signals.
Endpoint security is not a product you buy and configure once. It is an ongoing practice of monitoring, policy enforcement, and response. The threat landscape evolves faster than vendor signatures. Behavioral detection, continuous compliance enforcement, and rapid isolation capabilities are what keep compromised endpoints from becoming compromised businesses.